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(54) Authentication method, communication method, and information processing apparatus 



(57) Mutual authentication is performed. A reader/ 
writer (R/W) transmits to an IC card a code C1 such that 
a random number RA is encrypted using a key KB. The 
IC card decrypts the code C1 into plain text M1 using 
the key KB. The IC card transmits to the R/W a code C2 
such that the plain text Ml Is encrypted using a key KA 
and a code C3 such that a random number RB is en- 
crypted using the key KA. The R/W decrypts the codes 



C2 and C3 into plain text M2 and plain text M3, respec- 
tively using the key KA. When the R/W determines that 
the plain text M2 and the random number RA are the 
same, it authenticates the IC card. Next the R/W trans- 
mits to the IC card a code C4 such that the plain text M3 
is encrypted using the key KB. The IC card decrypts the 
code C4 into plain text M4 using the key KB. When the 
IC card determines that the plain text M4 and the ran- 
dom number RB are the same, it authenticates the R/W. 



FIG. 1 



CM 
< 

o 

CM 
00 

o 

Q. 
LU 



READ COMMAND 



RESPONSE 




TO MAIN COMPUTER 



Printed by Jouvo. 75001 PARIS (FR) 



1 



EP 0 817 420 A2 



2 



Description 

The present invention relates to an authentication 
method, a communication method, and an information 
processing apparatus. More particularly, the present in- 
vention relates to an authentication method in which a 
plurality of information processing apparatuses authen- 
ticate one another, a communication method, and an in- 
formation processing apparatus. 

With the development of information processing 
technology, large amounts of information are communi- 
cated over predetermined transmission lines. Most 
transmission lines over which information is communi- 
cated are such that a third party (a party except for a 
transmission party or a receiving party) is capable of in- 
tercepting data which is being communicated. 

When communications are performed using 6uch 
transmission lines without wanting information to be 
leaked to a third party, codes are often used. As a result 
of using codes and communicating encrypted data, 
even if the encrypted data can be intercepted, it is diffi- 
cult for a third party to read the contents of the commu- 
nicated information from such data. 

For such an encryption method of generating 
codes, a method is often used which generates codes 
(data which is transmitted actually) from plain text (in- 
formation to be transmitted). 

For such codes using keys, there are two types: 
symmetric key codes and public key codes. In the sym- 
metric key codes, the key (encryption key data) during 
encryption and the key (decryption key data) during de- 
cryption are the same. For example, as symmetric key 
codes, a DES (Data Encryption Standard), one of the 
Feistel codes, is often used. On the other hand, in the 
public key codes, encryption key data differs from de- 
cryption key data. Further, the receiving party makes 
public, encryption key data from among those keys for 
the sake of the transmission party but keeps the decryp- 
tion key data hidden without making public the encryp- 
tion key data (that is, only the receiving party knows the 
decryption key data). 

Fig. 1 4 shows an example of 6uch a communication 
(secret communication) using keys (symmetric keys). A 
transmission party 101 encrypts information (plain text 
M) to be transmitted into a code C by using a key K. 
Then, the transmission party 101 transmits the code C 
to a receiving party 102 over a predetermined transmis- 
sion line. 

The receiving party 102 receives the code C and 
decrypts it by using the same key K as the key K that 
the transmission party 101 has in order to obtain the in- 
formation (plain text M) transmitted from the transmis- 
sion party 101. With communications performed in this 
way, even if the code C is intercepted, it is difficult for a 
third party to obtain transmitted information (plain text 
M). 

Further, it is possible to determine (authenticate) if 
the communication party is an authorized receiving par- 



ty by using such keys. Fig. 15 shows an example of au- 
thentication using keys (symmetric keys). A party 111 
who determines authentication generates a random 
number M and transmits the random number M to a par- 
s ty 1 1 2 who is authenticated. The authentication party 
1 1 1 causes the party 1 1 2 who is authenticated to encrypt 
the random number M into a code C by using the key K 
and to transmit the code C. Then, the authentication par- 
ty 1 1 1 receives the code C and decrypts it into plain text 
io M1 using the key K. Then, the authentication party 111 
makes a determination if the random number M and the 
plain text M1 match each other. When they match each 
other, the authentication party 111 authenticates the 
party 112 who is authenticated. 
t£ In this way, it is possible for the transmission party 
(the authentication party 111) to determine (authenti- 
cate) if the receiving party (the party 112 who is authen- 
ticated) is an authorize©; receiving party (has the same 
key as that of the transmission party). At this time, even 
if the random number M which is plain text and the code 
C containing the encrypted random number M are inter- 
cepted by a third party, since it is difficult to generate the 
key K from the plain text M and the code C, only the 
authorized receiving party having the same key K as the 
key K of the transmission party (the authentication party 
111) becomes authenticated. 

However, in the above-described authentication 
method, predetermined transmission and receiving par- 
ties merely authenticate other transmission and receiv- 
ing parties. Therefore, if, for example, the above-de- 
scribed authentication method is applied to a card sys- 
tem formed of a reader/writer (R/W) and an IC card, 
there are problems in that although it is possible for the 
R/W to determine (authenticate the communication par- 
ty) if the communication party is an authorized IC card, 
it is difficult for the IC card to determine if the communi- 
cation party is an authorized R/W. 

The present invention has been achieved in view of 
such circumstances. In a plurality of information 
processing apparatuses, plain text is transmitted be- 
tween parties, the transmitted plain text is received, the 
received plain text is encrypted Into codes, and the 
codes are transmitted to the apparatus which transmit- 
ted the plain text. Further, the transmitted codes are re- 
ceived, and the plain text such that the codes has been 
decrypted is compared with the plain text which was in- 
itially transmitted, and thus the information processing 
apparatuses authenticate one another. 

The authentication method according to one aspect 
of the invention comprises the steps of: encrypting first 
data into a first code using the first key by the encryption 
means of the first information processing apparatus; de- 
crypting the first code into second data using the first 
key by the decryption means of the second information 
processing apparatus; encrypjjng the second data into 
a second code using the second key by the encryption 
means of the second information processing apparatus; 
encrypting third data into a third code using the second 
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key by the encryption means of the second information 
processing apparatus; decrypting the second code into 
fourth data using the second key by the decryption 
means of the first information processing apparatus; au- 
thenticating the second information processing appara- s 
tus by the first information processing apparatus on the 
basis of the first data and the fourth data; decrypting the 
third code into fifth data using the second key by the 
decryption means of the first information processing ap- 
paratus; encrypting the fifth data into a fourth code using io 
the first key by the encryption means of the first infor- 
mation processing apparatus; decrypting the fourth 
code into sixth data using the first key by the decryption 
means of the second information processing apparatus; 
and authenticating the first information processing ap- is 
paratus by the second information processing appara- 
tus on the basis of the third data and the sixth data. 

The communication method according to another 
aspect of the invention comprises the steps of: encrypt- 
ing first data into a first code using the first key by the 20 
encryption means of the first information processing ap- 
paratus; transmitting the first code to the second infor- 
mation processing apparatus by the transmission 
means of the first information processing apparatus; re- 
ceiving the first code by the receiving means of the sec- *s 
ond information processing apparatus; decrypting the 
first code into second data using the first key by the de- 
cryption means of the second information processing 
apparatus; encrypting the second data into a second 
code using the second key by the encrypting means of 30 
the second information processing apparatus; encrypt- 
ing third data into a third code using the second key by 
the encryption means of the second information 
processing apparatus; transmitting the second code 
and the third code by the transmission means of the sec- 35 
ond information processing apparatus; receiving the 
second code and the third code by the receiving means 
of the first information processing apparatus; decrypting 
the second code into fourth data using the second key 
by the decryption means of the first information process- *o 
ing apparatus; authenticating second information 
processing apparatus by the first information processing 
apparatus on the basis of the first data and the fourth 
data; decrypting the third code into fifth data using the 
second key by the decryption means of the first infor- 
mation processing apparatus; encrypting the fifth data 
into a fourth code using the first key by the second en- 
cryption means of the first information processing appa- 
ratus; transmitting the fourth code to the second infor- 
mation processing apparatus by the transmission 50 
means of the first information processing apparatus; re- 
ceiving the fourth code by the receiving means of the 
second information processing apparatus; decrypting 
the fourth code into sixth data using the first key by^he 
decryption means of the second information processing ss 
apparatus; and authenticating the first information 
processing apparatus by the second information 
processing apparatus on the basis of the third data and 



the sixth data. 

The information processing apparatus according to 
a further aspect of the invention is further provided with 
authentication means for authenticating another infor- 
mation processing apparatus on the basis of the prede- 
termined data and data generated by decrypting the 
code received from the other information processing ap- 
paratus, wherein the encryption means encrypts first da- 
ta into a first code using the first key, the transmission 
means transmits the first code to the other information 
processing apparatus, the receiving means receives 
second and third codes from the other information 
processing apparatus, the decryption means decrypts 
the second code into fourth data using the second key 
and further decrypts the third code into fifth data using 
the second key, the authentication means authenticates 
the other information processing apparatus on the basis 
of the first data and the fourth data, the encryption 
means encrypts the fifth data into a fourth code using 
the first key, and the transmission means transmits the 
fourth code to the other information processing appara- 
tus. 

The information processing apparatus according to 
still a further aspect of the invention is further provided 
with authentication means for authenticating another in- 
formation processing apparatus on the basis of the pre- 
determined data and data obtained by decrypting a code 
received from the other information processing appara- 
tus, wherein the receiving means receives a first code 
from the other information processing apparatus, the 
decryption means decrypts the first code into second 
data using the first key, the encryption means encrypts 
the second data into a second code using the second 
key and further encrypts third data into a third code using 
the second key, the transmission means transmits the 
second and third codes to the other information process- 
ing apparatus, the receiving means receives a fourth 
code from the other information processing apparatus, 
the decryption means decrypts the fourth code into sixth 
data using the second key, and the authentication 
means authenticates the other information processing 
apparatus on the basis of the third data and the sixth 
data. 

The invention will be further described below with 
reference to the following description of exemplary em- 
bodiments and the accompanying drawingsrin which: 

Fig. 1 shows an example of a non-contact card sys- 
tem formed of an R/W 1 and an IC card 2; 
Fig. 2 is a block diagram illustrating the construction 
of the R/W 1 in accordance with an embodiment of 
the present invention; 

Fig. 3 is a block diagram illustrating an example of 
the construction of an encryption section 1 2 in Fig. 
2; 

Fig. 4 is a block diagram illustrating an example of 
the construction of a data randomization section 32 
in Fig. 3; 
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Fig. 5 is a block diagram illustrating an example of 
the construction of a decryption section 1 3 in Fig. 2; 
Fig. 6 is a block diagram illustrating the construction 
of an IC card 2 in accordance with the embodiment 
of the present invention; 5 
Fig. 7 is a flowchart illustrating the operation of the 
R/W 1 during mutual authentication in Fig. 1 ; 
Fig. 6 is a flowchart illustrating the operation of the 
IC card 2 during mutual authentication in Fig. 1; 
Fig. 9 shows the operation of the non-contact card io 
system during mutual authentication in Fig. 1 ; 
Fig. 10 is a flowchart illustrating the process of the 
R/W 1 during communication in Fig. 1; 
Fig. 11 is a flowchart illustrating the process of the 
IC card 2 during communication in Fig. 1 ; « 
Fig. 12 shows another example of communication 
between the R/W 1 and the IC card 2; 
Fig. 1 3 shows still another example of communica- 
tion between the R/W 1 and the IC card 2; 
Fig. 1 4 is a block diagram illustrating an example of so 
communication utilizing a secret code; and 
Fig. 15 is a block diagram illustrating an example of 
authentication utilizing a secret code. 

Fig. 1 shows an example of a non-contact card sys- 2$ 
tern utilizing an R/W 1 and an IC card 2. The R/W 1 and 
the IC card 2 transmit and receive data in a non-contact 
manner by using electromagnetic waves. 

For example, when the R/W 1 transmits a read com- 
mand to the IC card 2, the IC card 2 receives the read 30 
command and transmits the data indicated by the read 
command to the R/W 1 . 

Also, when the R/W 1 transmits data to the IC card 
2, the IC card 2 receives the data, stores the received 
data in a built-in memory 64 (Fig. 6) (storage means), 35 
and transmits to the R/W 1 a predetermined response 
signal indicating that the data has been stored. 

Fig. 2 shows the construction of the R/W 1 in ac- 
cordance with an embodiment of the present invention. 

In the R/W 1 , a control section 11 performs various *o 
processes in accordance with stored programs. For ex- 
ample, the control section 11 outputs data to be trans- 
mitted to the IC card 2 to an encryption section 12 (en- 
cryption means) and processes response data from the 
IC card 2, supplied from a decryption section 13 (de- 
cryption means). 

Further, the control section 1 1 reads from a memory 
14 (storage means) a key K A (second key) or a key K B 
(first key) used for encryption or decryption and outputs 
the key K A or the key to the encryption section 1 2 or so 
the decryption section 13. Further, the control section 
1 1 performs communications with a main computer (not 
shown) through an interface 15. 

pie memory 14 stores data and the like used for 

process es in the control section 11 and also stores two ss 
keys K A and K B used for encryption and decryption. 

The encryption section 12 encrypts data supplied 
from the control section 11 by a predetermined key and 



outputs the encrypted data (code) to a transmission sec- 
tion 16 (transmission means). 

The transmission section 16 modulates the data 
(code) supplied from the encryption section 12 by a pre- 
determined modulation method (e.g., PSK (Phase Shift 
Keying) modulation method) and transmits the generat- 
ed modulated waves to the I C card 2 via an antenna 
section 17. 

A receiving section 18 (receiving means) receives 
the modulated waves transmitted from the IC card 2 via 
the antenna section 17, demodulates the modulated 
waves by a demodulation method corresponding to the 
modulated waves, and outputs the demodulated data 
(code) to the decryption section 1 3. 

The decryption section 1 3 decrypts the data (code) 
supplied from the receiving section 16 using a predeter- 
mined key and outputs the decrypted data to the control 
section 11. 

Fig. 3 6hows an example of the construction of the 
encryption section 1 2 of Fig. 2. In the encryption section 
12, a key storage section 31 stores a key K supplied 
from the control section 11. 

A data randomization section 32 reads the key K 
from the key storage section 31 , encrypts the data sup- 
plied from the key storage section 31 using the key K, 
and outputs the generated code to the transmission sec- 
tion 16. 

Fig. 4 shows an example of the construction of the 
data randomization section 32 of Fig. 3. This data ran- 
domization section 32 generates a code by a DES meth- 
od (for example, described in "Code and Information Se- 
curity" (Shokodo), Edited by ShigeoTsujii, Masao Kasa- 
hara, 1990) which performs a plurality of involution proc- 
esses. In this data randomization section 32, a key data 
generation circuit 61 computes 16 key data K 1 to K 16 
from the key K read from the key storage section 31 and 
outputs the key data K 1 to K 16 to computation circuits 
62-1 to 62-16, respectively. 

A register 63 holds 64-bit data (8 bytes) supplied 
from the control section 11, outputs the high-order 32 
bits of the 64-bit data to an adder 64-1 and outputs the 
low-order 32 bits thereof to a computation circuit 62-1 
and an adder 64-2. 

A computation circuit 62-i (i = 1, 16) performs a 
predetermined conversion, using key data Kj supplied 
from the key data generation circuit 61 , on the low-order 
32-bit data of the register 63 (in the case of the compu- 
tation circuit 62-1 ) or the 32 -bit data supplied from the 
adder 64-(i-1 ) (in the case of the computation circuits 
62-2 to 62-1 6)7and outputs the converted 32-bit data to 
the adder 64-i. 

An adder 64-i (i = 1 , 1 6) computes the exclusive 
OR (exclusive OR for each bit) of 32-bit data supplied 
from either oneof the high-order 32 bits of the register 
63 (in the ca se.otih e adder 64-1), the low-order 32 bits 
of the register 63 (in the case of the adder 64-2), or the 
adder 64-(i-2) (in the case of the adders 64-3 to 64-16), 
and the 32-bit data supplied from the computation circuit 
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62-i, and outputs the exclusive OR (32 bits) to either one 
of the adder 64-(i+2) (in the case of the adders 64-1 to 
64-1 4), the low-order 32 bits of a register 65 (in the case 
of the adder 64-15), or the high-order 32 bits of the reg- 
ister 65 (in the case of the adder 64-16). and the com- 
putation circuit 62-(i+l) (in the case of the adders 64-1 
to 64-15). 

The register 65 holds the 32-bit data supplied from 
the adder 64-15 in the low-order 32 bits thereof, holds 
the 32-bit data supplied from the adder 64- 1 6 in the high- 
order 32 bits, and further outputs the 64-bit data formed 
of these two 32-bit data, as a code, to the transmission 
section 16. 

Fig. 5 shows an example of the construction of the 
decryption section 1 3 of Fig. 2. In this decryption section 
1 3, a key storage section 41 holds a key K supplied from 
the control section 11. 

A conversion section 42. having the same construc- 
tion as that of the data randomization section 32 of Fig. 
4, reads a key K from the key storage section 41 , sup- 
plies the data (the code encrypted by the DES method) 
supplied from the receiving section 1 8 to the register 63, 
after which it performs the same operation as that of the 
data randomization section 32 of Fig. 4 in order to de- 
crypt the data and output the decrypted data from the 
register 65 to the control section 11 . 

Fig. 6 shows an example of the construction of the 
IC card 2 in accordance with the embodiment of the 
present invention. 

In the, IC card 2, a control section 81 (processing 
means) performs various processes in accordance with 
a command supplied from the Fl/W 1 . The control sec- 
tion 81 receives a command from the R/W 1 from a de- 
cryption section 83 (decryption means), performs a 
process corresponding to the command, and outputs re- 
sponse data (to be transmitted to the R/W 1) corre- 
sponding to the processing result to an encryption sec- 
tion 62 (encryption means). 

Further, the control section 81 reads from a memory 
84a key K A ora key Kb used for encryption or decryption 
and outputs the key K A or the key Kb to the encryption 
section 82 or the decryption section 83. 

The memory 84 has a RAM (Random Access Mem- 
ory) section (approximately 128 kilobytes) and a ROM 
(Read Only Memory) section (approximately 512 kilo- 
bytes). Of these, the RAM section temporarily stores da- 
ta and the like used for processing in the control section 
81 . Meanwhile, the ROM section has prestored therein 
two keys K A and K B used for encryption and decryption. 

The encryption section 82 and the decryption sec- 
tion 83 have the same construction as those of the en- 
cryption section 12 of Fig. 3 and the decryption section 
13 of Fig. 5. and therefore, a description thereof has 
been omitted. — 

A transmission section 86 (transmission means) 
modulates data (code) supplied from the encryption 
section 82 by a predetermined modulation method (e. 
g., a PSK (Phase Shift Keying) modulation method) and 



transmits the generated modulated waves to the R/W 1 
via an antenna section 87. 

A receiving section 88 (receiving means) receives 
modulated waves transmitted from the R/W 1 via the an- 
5 tenna section 87, demodulates them by a demodulation 
method corresponding to the modulated waves, and 
outputs the demodulated data (code) to the decryption 
section 83. 

Next, while referring to the flowcharts of Figs. 7 and 
8, and Fig. 9. the operation of mutual authentication of 
the R/W 1 and the IC card 2 will be described. 

Initially, In step S1 in Fig. 7, the control section 11 
of the FVW 1 generates a 64-bit random number R A (first 
data) and outputs it to the data randomization section 
32 of the encryption section 1 2, and further reads a key 
Kb from the memory 1 4 and outputs it to the key storage 
section 31 of the encryption section 12. 

The data randomization section 32 of the encryption 
section 12 of Fig. 3 reads the key Kb from the key stor- 
age section 31 . Then, a key data generation circuit 61 
of the data randomization section 32 of Fig. 4 generates 
16 key data K t to K 16 from the key Kb and outputs it to 
the computation circuits 62-1 to 62-16. respectively. 

A register 63 of the data randomization section 32 
outputs the high-order 32 bitsof the-raridcnrnurnberR A 
supplied from the R/W 1 to the adder 64-1 and outputs 
the tow-order 32 bit6 of the random number R A to the 
computation circuit 62-1 and the adder 64-2. The com- 
putation circuit 62-1 converts the 32-bit data using the 
key data K., and outputs the converted data to the adder 
64-1. The adder 64-1 computes the exclusive OR (ex- 
clusive OR for each bit) of the 32-bit data supplied from 
the register 63 and the 32-bit data supplied from the 
computation circuit 62-1. and outputs the exclusive OR 
(32 bits) to the computation circuit 62-2 and the adder 
64-3. 

Next, the computation circuit 62-2 converts the 
32-bit data using the key data K 2 and outputs the con- 
verted data (32 bits) to the adder 64-2. The adder 64-2 
computes the exclusive OR of the 32-bit data supplied 
from the register 63 and the 32-bit data supplied from 
the computation circuit 62-2, and outputs the exclusive 
OR to the computation circuit 62-3 and the adder 64-4. 

The computation circuits 62-3 to 62-14 and the 
adders 64-3 to 64-1 4 perform in sequence the same op- 
eration as that of the computation circuit 62-2 and the 
adder 64-2. That is, the computation circuit 62-J 0=3, 
1 4) converts the 32 -bit data supplied from the adder 64- 
fj-1 ) by using key data Kj and outputs the converted data 
to the adder 64-j. The adder 64-j {£=3, — , 1 4) computes 
the exclusive OR of the 32-bit data supplied from the 
adder 64-{j -2) and the 32-bit data supplied from the 
computation circuit 62-j, and outputs the exclusive OR 
to the computation circuit 62-Q+1) and the adder 64- 
Q+2). ^ 

Further, the computation circuit 62-15 converts the 
32-bit data supplied from the adder 64-14 by using the 
key data K 15 and outputs the converted data to the 
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adder 64-15. The adder 64-15 computes the exclusive 
OR of the 32-bit data supplied from the adder 64-1 3 and 
the 32-bit data supplied from the computation circuit 
62-15, and outputs the exclusive OR to the computation 
circuit 62-1 6 and the low-order 32 bits of the register 65. s 

Then, the computation circuit 62-16 converts the 
32-bit data by using the key data K 16 and outputs the 
converted data to the adder 64-16. The adder 64-16 
computes the exclusive OR of the 32-bit data supplied 
from the adder 64-14 and the 32-bit data supplied from io 
the computation circuit 62-1 6, and outputs it to the high- 
order 32 bits of the register 65. 

In the above-described way, a code is generated by 
performing a computation of a total of 16 stages. Then, 
the register 65 of the data random ization sect ion 32 out- 
puts the generated code C 1 (a first code) ([RaJ b of Fig. 
9) to the transmission section 1 6. 

Next, in step S2, the transmission section 16 of the 
R/W 1 modulates the code C-, supplied from the encryp- 
tion section 12 and transmits the generated modulated so 
waves to the IC card 2 via the antenna section 1 7. 

As described above, during the period in which the 
R/W 1 processes and transmits the modulated waves in 
steps S1 and S2, the IC card 2 warts in step S21 of Fig. 8. 

When the modulated waves are transmitted from 2$ 
the R/W 1 , the receiving section 88 of the IC card 2 re- 
ceives the modulated waves transmitted from the trans- 
mission section 16 of the R/W 1, demodulates the mod- 
ulated waves, and outputs the demodulated data (code 
C t ) to the decryption section 83. 30 

Next, in step S22, the conversion section 42 of a 
decryption section 83 of the IC card 2 decrypts the code 
Ci supplied from the receiving section 88 by using the 
key Kb previously supplied to the key storage section 
4 1 from the control section 81 , and outputs the decrypt- 35 
ed data (plain text M 1 ) (second data) to the control sec- 
tion 81. 

In step S23, the control section 81 of the IC card 2 
outputs the plain text M, supplied from the decryption 
section 83 to the data randomization section 32 of the *o 
encryption section 82. The data randomization section 
32 of the encryption section 82 reads a key K A prestored 
in the key storage section 31 , encrypts the plain text M 1 
using the key K A in the same way as the data randomi- 
zation section 32 of the encryption section 1 2 of the R/ 4S 
W 1 in step S1 , and outputs the generated code C 2 (sec- 
ond code) ([R/Ja of Fig. 9) to the transmission section 
86. 

Further, the control section 81 generates a random 
number Rq (third data) and outputs the random number so 
R B to the data randomization section 32 of the encryp- 
tion section 82. The data randomization section 32 of 
the encryption section 82 reads a key K A from the key 
storage section 31 , encrypts the random number Fig us- 
ing the key K A , and outputs the generated code C3 (third ss 
code) ([RbIa of Fig. 9) to the transmission section 86. 

Then, in 6tep S24, the transmission section 86 of 
the IC card 2 modulates the codes C 2 and C 3 and trans- 
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mits the generated modulated waves to the R/W 1 via 
the antenna section 87. 

While the IC card 2 is performing the process from 
steps S21 to S24 as described above, the R/W 1 waits 
in steps S3 and S4 until the codes Cg and C 3 are trans- 
mitted from the IC card 2, and monitors in step S3 the 
time elapsed from when the code C 1 was transmitted. 
When a predetermined time (a time longer than the time 
normally required for processing in the IC-card 2) has 
elapsed from the time the codes C 2 and C 3 have been 
transmitted from the IC card 2, the process returns to 
step S2 where the code C, is retransmitted. 

Then, when the modulated waves containing the 
codes C2 and C 3 are transmitted from the IC card 2, the 
receiving section 18 of the R/W 1 receives the modulat- 
ed waves transmitted from the transmission section 86 
of the IC card 2 via the antenna section 1 7, and demod- 
ulates the modulated waves. Then, the receiving section 
18 outputs the demodulated data (codes C2 and C 3 ) to 
the decryption section 1 3. * 

Next, in step S5, the conversion section 42 of the 
decryption section 13 of the R/W 1 reads the key K A 
previously supplied to the key storage section 41, de- 
crypts the data (codes C 2 and C 3 ) supplied from the re- 
ceiving section 1 8, and outputs the decrypted data (plain 
text M 2 (corresponding to the code C 2 ) (fourth data) and 
plain text M 3 (corresponding to the code C 3 ) (fifth data)) 
to the control section 11. 

Then, in step S6. the control section 11 of the R/W 
1 determines whether the plain text M2 and the random 
number R A are the same. When it is determined that the 
plain text M2 and the random number R A are the same, 
in step S7, the R/W 1 determines that the IC card 2 has 
the same keys K A and K B as those of the R/W 1 , and 
authenticates the IC card 2. 

When, on the other hand, it is determined in step 
S6 that the plain text M 2 and the random number R A are 
not the same, the R/W 1 does not authenticate the R/W 
1, and the authentication process is terminated. 

After the IC card 2 is authenticated in step S7, in 
step S8, the control section 1 1 of the R/W 1 outputs the 
plain text M 3 generated in step S5 to the encryption sec- 
tion 12. Then, the encryption section 12 encrypts the 
plain text M 3 using the key K B in a manner similar to 6tep 
S1, and outputs the generated code C 4 (fourth code) 
([RbIb of Fi 9- 9 ) to 106 transmission section 16: 

In step S9, the transmission section 16 of the R/W 
1 modulates the code C 4 supplied from the encryption 
section 12 and transmits the generated modulated 
waves to the I C card 2 via the antenna section 1 7. 

While the R/W 1 is performing the process in steps 
S4 to S9 as described above, the IC card 2 waits in steps 
S25 and S26 until the code C 4 is transmitted. At this 
time, the control section 81 of the IC card 2 monitors the 
tim e_elap sed from when the codes C 2 and C3 were 
transmitted. When it is determined in step S26 that a 
predetermined time has elapsed from the time the codes 
C 2 and C 3 have been transmitted, the authentication 
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process is terminated without authenticating the R/W 1 . 

On the other hand, when the modulated waves con- 
taining the code C 4 are transmitted, the receiving sec- 
tion 88 of the I C card 2 receives the modulated waves 
transmitted from the R/W 1 via the antenna section 87 s 
and demodulates the modulated waves. Then, the re- 
ceiving section 88 outputs the demodulated data (code 
C 4 ) to the decryption section 13. 

Next, in step S27, the conversion section 42 of the 
decryption section 83 of the I C card 2 decrypts the data "> 
(code C4) supplied from the receiving section 88 using 
the key K B read from the key storage section 41 and 
outputs the decrypted data (plain text M4) (sixth data) to 
the control section 81 . 

Then, in step S28, the control section 81 of the IC 
card 2 determines whether the plain text and the ran- 
dom number R B are the Game. When it is determined 
that the plain text M 4 and the random number Re are 
the same, the IC card 2 determines in step S29 that the 
R/W 1 has the same keys K A and K B as those of the I C 
card 2 and authenticates the R/W 1 . 

On the other hand, when it is determined in step 
S28 that the plain text M4 and the random number 
are not the same, the IC card 2 does not authenticate 
the R/W 1 , and the authentication process islerminated: 

In the above-described way, as shown in Fig. 7, the 
R/W 1 performs a process for authenticating the JC card" 
2. The IC card 2, as shown in Fig. 8, performs a process 
for authenticating the R/W 1. Thus, a mutual authenti- 
cation process is performed. 

Although the above-described data randomization 
section 32 of the encryption sections 1 2 and 82 pe rf orms 
encryption by a DES method, encryption may be per- 
formed by other methods (e.g., a FEAL (Fast Encryption 
Algorithm) - 8 method) . In 6uch a case, the conversion 
section 42 of the decryption sections 1 3 and 83 pe rf orms 
decryption in conformance with the encryption method. 

Further, when the FEAL - 8 method is used, it is pos- 
sible to perform mutual authentication in approximately 
32 milliseconds (the time required for processing in the 
IC card 2 is approximately 28 milliseconds). 

Next, referring to the flowcharts of Figs. 10 and 11 , 
a description will be given of communications between 
the R/W 1 and the IC card 2 after the above-described 
authentication process (after they have authenticated 
each other). 

In step S41 in Fig. 10, initially, the control section 
11 of the R/W 1 holds the random number R A in the 
above-described process as an identification number 
ID, and outputs, as a new key (third key), the random 
number Rq (plain text M 3 ) (since the IC card 2 is authen- 
ticated, the R/W 1 uses the plain text M 3 as the random 
number Rq) to the key storage section 31 of the encryp- 
tion section 1£ and the key storage section 41 of the 
decryption section 1 3. 

Then, the control section 1 1 of the R/W 1 outputs a 
command (transmission command) corresponding to 
the process to be performed by the IC card 2 to the data 



randomization section 32 of the encryption section 12. 
The data randomization section 32 of the encryption 
section 12 reads the key K, D from the key storage sec- 
tion 31 , encrypts the transmission command using the 
key K, D , and outputs the generated code Ccom (fifth 
code) to the transmission section 16. 

Further, the control section 11 of the R/W 1 outputs 
the identification number ID to the data randomization 
section 32 of the encryption section 1 2. The'data rand- 
omization section 32 of the encryption section 12 en- 
crypts the identification number ID using the key K,q and 
outputs the generated code C, D (sixth code) to the trans- 
mission section 16. 

In step S42, the transmission section 16 of the R/W 
1 modulates the codes Ccom and C, D supplied from the 
encryption section 12 and transmits the generated mod- 
ulated waves to the IC card 2 via the antenna section 1 7. 

Until the R/W 1 transmits the modulated waves con- 
taining the codes Ccom and C^ as described above, 
the IC card 2 waits in step 361 in Fig. 11 . 

* The control section 81 of the I C card 2 outputs in 
advance, as the key K©, the random number R B in the 
above-described authentication process to the key stor- 
age section 31 of the encryption section 82 and the key 
storage section 41 of the decryption section 83, and fur- 
ther holds the random number R A (plain text iU,) (since 
the R/W 1 is authenticated, the IC card 2 uses the plain 
text M 1 as the random number Ra) as the identification 
number ID. 

Then, when the modulated waves containing the 
codes Ccom and C© are transmitted from the R/W 1 , 
the receiving section 88 of the IC card 2 receives the 
modulated waves transmitted from the transmission 
section 16 of the R/W 1 via the antenna section 87 and 
demodulates the modu rated waves. Then, the receiving 
section 88 outputs the demodulated data (codes Ccom 
and C (D ) to the decryption section 83. 

In step S62, the conversion section 42 of the de- 
cryption section 83 decrypts the code C© of the supplied 
data using the key K l0 prestored in the key storage sec- 
tion 41 and outputs the decrypted data (plain text Mjq) 
(seventh data) to the control section 81. 

Then, in step S63, the control section 81 of the IC 
card 2 determines whether the value of the plain text 
Mto is the identification number ID or greater. When it is 
determined that the value of the plain text M, D is smaller 
than the identification number ID, the communication 
process is terminated. When, on the other hand, it is de- 
termined that the value_of the plain text Mj D is the iden- 
tification number ID or greater, in step S64, the control 
section 81 acknowledges the received command (code 
Ccom) an d causes the decryption section 83 to decrypt 
the code C^', in step S65. performs a process corre- 
sponding to the decrypted-command; and in step S66, 
prepares response data^data to be transmitted to the 
R/W 1) corresponding to the processing results. 

Next, in 6tep S67, the control section 81 of the IC 
card 2 increases the value of the identification number 
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ID by 1, after which it outputs the identification number 
ID and the response data in sequence to the encryption 
section 82. In step S68, the encryption section 62 en- 
crypts the identification number ID into code C 0 (eighth 
code) using the key K (D and further encrypts the re- 
sponse data into code Cre (seventh code) using the key 
K| D , after which it outputs the code and the code Cre 
to the transmission section 86. 

Then, in step S69, the transmission section 86 mod- 
ulates the code Cj D and the code Cre and transmits the 
generated modulated waves to the R/W 1 . 

While the IC card 2 Is performing a process corre- 
sponding to the transmitted command in steps S61 and 
S69, the R/W 1 waits in steps S43 and S44 and further 
in step S43 monitors the time elapsed from when the 
codes C, D and Ccom are transmitted. 

Then, when a predetermined preset time has 
elapsed, the process proceeds to step S45 where the 
R/W 1 selects the same command as that encrypted in 
step S41. and the value of the identification number ID 
is increased by 1 in step S46. Thereafter, the process 
returns to step S41 where the transmission command 
and the identification number ID are encrypted, and in 
step S42, the generated codes are retransmitted to the 
IC card 2. 

On the other hand, when the modulated waves con- 
taining the code C, D and the code Cre are received from* 
the IC card 2 in step S44, the receiving section 1 8 of the 
R/W 1 demodulates the modulated waves into the code 
C, D and the code Cre, and outputs the codes C, D and 
Cre to the decryption section 13. 

In step S47, the decryption section 1 3 decrypts the 
code C D using the key K, D and outputs the generated 
plain text M, D (ninth data) to the control section 11 . 

In step S48, the control section 11 determines 
whether the value of the plain text M (D is greater than 
the identification number ID. When it is determined that 
the value of the plain text M(q is equal to or smaller than 
the identification number ID, the process proceeds to 
step S45 where the same command as that transmitted 
in step S41 is selected. In step S46, the value of the 
identification number ID is increased by 1, after which 
the process returns to step S41 where the transmission 
command and the identification number ID are encrypt- 
ed, and in step S42, the generated codes are retrans- 
mitted to the IC card 2. 

On the other hand, when it is determined in step 
S48 that the value of the plain text M, D is greater than 
the identification number ID, the control section 11 caus- 
es the decryption section 1 3 to decrypt the code Cre and 
receives response data from the IC card 2 in step S49. 

Then, in step S50, the control section 11 of the R/ 
W 1 determines whether the communication is to be ter- 
minated. When the communication is to be continued, 
the process proceeds to step SSfwhere the control sec- 
tion 11 of the R/W 1 selects the nextlransmission com- 
mand. 

Then, the process proceeds to step S46 where the 



value of the identification number ID is increased by 1, 
after which the process returns to step S41 , and the next 
transmission command is transmitted in step S41 and 
et seq. 

s In the above-described way, using the random num- 
bers R A and R B transmitted during mutual authentica- 
tion as an identification number ID and a new key K tD , 
the R/W 1 transmits a predetermined command to the 
IC card 2. The IC card 2 performs a process-correspond- 

io jng to the command, after which it transmits response 
data corresponding to the processing results to the R/ 
W 1. As a result of the above, it is possible to confirm 
that the communication party is an authorized party for 
each communication by using the identification number 

'5 and the new key. Also, since the value of the identifica- 
tion number ID is increased by 1 for each communica- 
tion, it is possible to know the number of communica- 
tions up to the present time and to grasp the passage 
of processing. 

20 Although in step S63 the control section 81 of the 
IC card 2 determines whether the plain text M ID is equal 
to or greater than the identification number ID, it is also 
possible to determine whether the value of the plain text 
MID is equal to a value within a predetermined range (e. 

& g., the range of ID to ID + 16) corresponding to the iden- 
tification number ID. As a result of the above, when, for 
example,^ 4^lure pccprs-in ttfe transmisskxHine and 
the electromagnetic waves (the value of the.jc/'ntifica- 
tion number is ID) radiated* from the R/W 1 do not reach 

30 the IC card 2, the IC card 2 is capable of receiving data 
(the value of the identification number is ID + 1 , but the 
transmitted command is the same as that transmitted 
previously) to be transmitted next 

Or, in step S63, the control section B1 of the I C card 

55 2 may also determine whether the value of, for example, 
the low-order 8 bits of the plain text M (0 (64 bits) is equal 
to or greater than the value of the low-order 8 bits of the 
identification number ID. By making a comparison for 
only a predetermined number of digits (number of bits) 

to n . the number of bit computations is decreased less than 
in a case in which a comparison is made for 64 bits, and 
thus processing can be performed quickly. In this case, 
since a carryover occurs (an error occurs in the compar- 
ison results), if the value of the identification number ID 

<s becomes greater than 2 n - 1 (n is the number of digits), 
by takinginto consideration the number of communica- 
tions between the R/W 1 and the IC card 2, the number 
n of digits is set so that the value of the identification 
number ID does not become greater than 2 n - 1 (n is the 

50 number of digits). 

Further, in a similar manner, in step S48, the control 
section 1 1 of the R/W 1 may determine whether the val- 
ue of the plain text M JD is the same as a value within a 
predetermined range corresponding to the identification 

ss number ID. Also, in step S48, the control s ection 11 of 
the R/W 1 may determine whether the value of, for ex- 
ample, the low-order 8 bits of the plain text M, D is greater 
than the low-order 8 bits of the identification number ID. 
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Although in the above-described embodiment the 
random number R B is used as a new key K lD , as shown 
In Fig. 12. a new key Kj D may be computed from the 
random numbers R A and Rq so that communications are 
performed using the key K^. 

Further, when information transmitted by the R/W 1 
is simply to be stored in the IC card 2, as shown in Fig. 
13, it may also be possible for the IC card 2 to store 
received data (data encrypted using the key K A or Kq) 
as it is in the memory 84 without being decrypted, and 
read the data from the memory 84 when a read com- 
mand from the R/W 1 is received and transmit it as it is. 

As has been described up to this point, according 
to the authentication method of claim 1 , a first informa- 
tion processing apparatus encrypts first data into a first 
code, a second information processing apparatus de- 
crypts the first code into second data and encrypts the 
second data into a second code and further encrypts 
third data into a third code, the first information process- 
ing apparatus decrypts the second code into fourth data, 
and the first information processing apparatus authen- 
ticates the second information processing apparatus on 
the basis of the first data and the fourth data. Further, 
the first information processing apparatus decrypts the 
third code-into frfth data and encrypts the fifth data into 
a fourth code, the second information processing appa- 
ratus decrypts the fourth code into sixth data, and the 
second information processing apparatus authenticates 
the first information processing apparatus on the basis 
of the third data and the sixth data. Thus, it is possible 
for the two information processing apparatuses to au- 
thenticate each other. 

According to the communication method of claim 2, 
the first information processing apparatus transmits to 
the second information processing apparatus the first 
code such that the first data is encrypted, the second 
information processing apparatus receives the first code 
and decrypts the first code into second data and further 
transmits to the first information processing apparatus 
the second code such that the second data Is encrypted 
and the third code such that the third data is encrypted, 
the first information processing apparatus receives the 
second code and the third code, decrypts the second 
code of these codes into fourth data, and the first infor- 
mation processing apparatus authenticates the second 
information processing apparatus on the basis of the 
first data and the fourth data. Further, the first informa- 
tion processing apparatus decrypts the third code into 
fifth data and transmits to the second information 
processing apparatus the fourth code such that the fifth 
data is encrypted, the second information processing 
apparatus receives the fourth code and decrypts the 
fourth code into sixth data and further authenticates the 
first information processing apparatus on the basis of 
the third data and the sixth data. Thus, it is possible for 
the two information processing apparatuses which have 
authenticated each other to perform communications. 

According to the information processing apparatus 
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of claim 15, the encryption means encrypts first data into 
a first code using a first key, the transmission means 
transmits the first code to another information process- 
ing apparatus, the receiving means receives a second 
code and a third code, and the decryption means de- 
crypts the second code into fourth data using a second 
key and further decrypts the third code into fifth data us- 
ing the second key, the authentication means authenti- 
cates the other information processing apparatus on the 
basis of the first data and the fourth data, the encryption 
means encrypts the fifth data into a fourth code using 
the first key, and the transmission means transmits the 
fourth code to the other information processing appara- 
tus. Thus, it is possible to authenticate a given informa- 
tion processing apparatus and then to be authenticated 
by the information processing apparatus. 

According to the information processing apparatus 
of claim 24, the receiving means receives a first code 
from another information processing apparatus, the de- 
cryption means decrypts the" first code into first data us- 
ing a first key, the encryption means encrypts the first 
data into a second code using a second key and further 
encrypts the second data into a third code using the sec- 
ond key, the transmission means transmits the second 
code and the third code to the other information process- 
ing apparatus, the receiving means receives a fourth 
cocle from the other information processing apparatus, 
the decryption means decrypts the fourth code into third 
data using the second key, and the authentication 
means authenticates the other information processing 
apparatus on the basis of the second data and the third 
data. Thus, it is possible to authenticate a given infor- 
mation processing apparatus and then to be authenti- 
cated by the information processing apparatus. 
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1. An authentication method between a first informa- 
tion processing apparatus and a second informa- 
tion processing apparatus each comprising: 

storage means for storing first and second 
keys; 

encryption means for encrypting predeter- 
mined data using said first key or said second 
key. and 

decryption means for decrypting a code gener- 
ated by said second key or said first key, 
said authentication method comprising the 
steps of: 

encrypting first data into a first code using said 
first key by said encryption means of said first 
information processing apparatus; 
— decrypting said first code into second data us- 

ing said first key by said decryption means of 
said second information processing apparatus; 
encrypting said second data into a second code 
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using said second key by 6aid encryption 
means of said second information processing 
apparatus; 

encrypting third data into a third code using said 
second key by said encryption means of said s 
second information processing apparatus; 
decrypting said second code into fourth data 
using said second key by said decryption 
means of said first information processing ap- 
paratus; 10 
authenticating said second information 
processing apparatus by 6aid first information 
processing apparatus on the basis of said first 
data and said fourth data; 

decrypting said third code into fifth data using « 
said second key by said decryption means of 
said first information processing apparatus; 
encrypting said fifth data into a fourth code us- 
ing said first key by said encryption means of 
said first information processing apparatus; so 
decrypting said fourth code into sixth data using 
said first key by said decryption means of said 
second information processing apparatus; and 
authenticating said first information processing 
apparatus by said second information process- ss 
ing apparatus on the basis of said third data and 
said sixth data ^ 

A method according to claim 1 wherein each infor- 
mation processing apparatus further comprises: 30 



3. A method according to claim 2, 

wherein said first data is a predetermined iden- 
tification number, 
said third data is a third key, 
said encryption means of said first information 
processing apparatus encrypts a first com- 
mand into a fifth code using said third key and 
further encrypts said identification /lumber into 
a sixth code using said third key, 
said transmission means of said first informa- 
tion processing apparatus transmits said fifth 
code together with said sixth code, 
said receiving means of said second informa- 
tion processing apparatus receives said fifth 
code and said sixth code, 
said decryption means of said second informa- 
tion processing apparatus decrypts said fifth 
code into a second command using said third 
key and further decrypts said sixth code into 
seventh data using said third key, and 
said second information processing apparatus 
authenticates said second command on the ba- 
sis of said seventh data and the value of said 
identification number 

4. A method according to claim 3, wherein said iden- 
tification number of said first information processing 
apparatus is changed for each encryption of said 
first command. 



transmission means for transmitting said en- 
crypted data; and 

receiving means for receiving predetermined 
encrypted data, 35 
wherein said method comprises the further 
steps of: 

transmitting said first code to said second infor- 
mation processing apparatus by said transmis- 
sion means of said first information processing <o 
apparatus; 

receiving said first code by said receiving 
means of said second information processing 
apparatus; 

transmitting said second code and said third *s 
code by said transmission means of said sec- 
ond Information processing apparatus; 
receiving said second code and said third code 
by said receiving means of said first information 
processing apparatus; so 
transmitting said fourth code to said second in- 
formation processing apparatus by said trans- 
mission means of said first information 
processing apparatus; 

recervirigTsaid fourth code by said receiving ss 
means of said second information processing 
apparatus; 



5. A method according to claim 4, wherein said iden- 
tification number of said first information processing 
apparatus is increased for each encryption of said 
first command. 

6. A method according to claim 3, 4 or 5, wherein said 
second information processing apparatus authenti- 
cates said second command when said seventh da- 
ta has a value within a predetermined range corre- 
sponding to said identification number. 

7. A method according to claim 3, 4, 5 or 6, wherein 
said second information processing apparatus 
compares the value of said seventh data with said 
identification number only in a range of a predeter- 
mined number of digits and authenticates said sec- 
ond command when the value within said range of 
a predetermined number of digits in said seventh 
data is equal to or greater than the value within said 
range of a predetermined number of digits in said 
identification number. 

8. A method according to anyone of claims 3 to 7, 

wherein said second information processing 
apparatus performs a process corresponding 
to said second command and generates re- 



10 




19 EP0 817 

sponse data corresponding to the processing 
results, 

said encryption means of said second informa- 
tion processing apparatus encrypts said re- 
sponse data into a seventh code using said 5 
third key and further encrypts said identification 
number into an eighth code using said third key, 
said transmission means of said second infor- 
mation processing apparatus transmits said 
seventh code together with said eighth code, 10 
said receiving means of said first information 
processing apparatus receives said seventh 
code and said eighth code, 
said decryption means of said first information 
processing apparatus decrypts said seventh is 
code into eighth data using said third key and 
further decrypts said eighth code into ninth data 
using said third key, and 
said first information processing apparatus au- 
thenticates said eighth data as said response 20 
data on the basis of said ninth data and the val- 
ue of said identification number. 

9. A, method according to claim 8, wherein said iden- 
tification number of said second information 26 
processing apparatus is changed for each encryp- 
tion of said eighth data. 

10. A method according to claim 9, wherein said iden- 
tification number of said second information 30 
processing apparatus is increased for each encryp- 
tion of said eighth data. 

11. A method according to claim 8, 9 or 1 0, wherein said 
first information processing apparatus authenti- 3s 
cates said eighth data as said response data when 
said ninth data has a value within a predetermined 
range corresponding to said identification number. 

12. A method according to claim 8, 9, 10 or 11, wherein *o 
said first information processing apparatus com- 
pares said ninth data with the value of said identifi- 
cation number in a range of a predetermined 
number of digits, and authenticates said eighth data 
as said response data when the value within said 45 
range of a predetermined number of digits in said 
ninth data is equal to or greater than the value within 
said range of a predetermined number of digits in 
said identification number. 

so 

13. A method according to any one of claims 8 to 12, 
wherein said first information processing apparatus 
increases the value of said identification number 
when a predetermined time has elapsed during the 
time from when said fifth code is transmrttedtogeth- ss 
er with said sixth code until said seventh code and 
said eighth code are received, then encrypts said 
identification number into said sixth code, and re- 
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transmits said fifth code together with said sixth 
code. 

14. A method according to any one of claims 8 to 13, 
wherein when said first information processing ap- 
paratus does not authenticate said eighth data as 
response data, said first information processing ap- 
paratus increases the value of said identification 
number, then encrypts said identification number in- 
to said sixth code, and retransmits said fifth code 
together with said sixth code. 

15. An information processing apparatus, comprising: 

storage means for storing first and second 
keys; 

encryption means for encrypting predeter- 
mined data using said first or second key; 
decryption means for decrypting a code gener- 
ated by said second key or said first key; 
transmission means for transmitting a code en- 
crypted by said encryption means to another in- 
formation processing apparatus; and 
receiving means for receiving a code from said 
other information processing apparatus, 
wherein there is further provided authentication 
means for authenticating said other information 
processing apparatus on the basis of said pre- 
determined data and data generated by de- 
crypting the code ^received from said other in- 
formation processing apparatus, 
said encryption means encrypts first data into 
a first code using said first key, 
said transmission means transmits said first 
code to said other information processing ap- 
paratus, 

said receiving means receives second and third 
codes from said other information processing 
apparatus, 

said decryption means decrypts said second 
code into fourth data using said second key and 
further decrypts said third code into fifth data 
using said second key, 

said authentication means authenticates said 
other information processing apparatus on the 
basis of said first data and said fourth data, 
said encryption means encrypts said fifth data 
into a fourth code using said first key, and 
said transmission means transmits said fourth 
code to said other information processing ap- 
paratus. 

16. An information processing apparatus according to 
claim 15, 

wherein said first data is a predetermined iden- 
tification number, 
said fifth data is a third key 
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said encryption means encrypts a first com- 
mand into a fifth code using said third key and 
further encrypts said identification number to a 
sixth code using said third key, and 
said transmission means transmits said fifth s 
code together with said sixth code to said other 
information processing apparatus. 



when said fifth code is transmitted together with 
said sixth code until said seventh code and said 
eighth code are received, the value of said identifi- 
cation number is increased, then said identification 
number is encrypted to said sixth code, and said 
fifth code is retransmitted together with said sixth 
code. 



17. An information processing apparatus according to 
claim 16, 

wherein said receiving means receives from 
said other information processing apparatus a 
seventh code such that response data corre- 
sponding to the processing results correspond- 
ing to said first command is encrypted and an 
eighth code such that 6aid identification 
number in said other information processing 
apparatus is encrypted, 
said decryption means decrypts said seventh 
code into eighth data using said third key and 
further decrypts said eighth code into ninth data 
using said third key, and 
said authentication means authenticates said 
eighth data as said response data on the basis 
of said ninth data and the value of said identifi- 
cation number. 

18. An information processing apparatus according to 
claim 16 or 17, wherein said identification number 
is changed for each encryption of said first com- 
mand. 

19. An information processing apparatus according to 
claim T8, wherein said identification number is in- 
creased for each encryption of said first command. 

20. An information processing apparatus according to 
claim 17, 18 or 19, wherein said authentication 
means authenticates said eighth data as said re- 
sponse data when said ninth data has a value within 
a predetermined range corresponding to said iden- 
tification number. 

21. An information processing apparatus according to 
claim 20, wherein said authentication means com- 
pares said ninth data with the value of said identifi- 
cation number only in a range of a predetermined 
number of digits, and authenticates said eighth data 
as said response data when the value within said 
range of a predetermined number of digits in said 
ninth data is equal to or greater than the value within 
said range of a predetermined number of digits in 
said identification number. 



22. An information processing apparatus according to 
any one of claims 17 to 21, wherein when a prede- 
termined time has elapsed during the time from 



23. An information processing apparatus according to 
io any one of claims 17 to 22, wherein when said au- 
thentication means does not authenticate said 
eighth data as response data, the value of said iden- 
tification number is increased, then said identifica- 
tion number is encrypted to said sixth codef and 
said fifth code is retransmitted together with said 
sixth data. 

24. An information processing apparatus, comprising: 

storage means for storing first and second 
keys; 

encryption means for encrypting predeter- 
mined data using said first or second key; 
decryption means for decrypting a code gener- 
ated by said second or first key; 
transmission means for transmitting a code en- 
crypted by said encryption means to another in- 
formation processing apparatus; and 
receiving means for receiving a code from said 
other information processing apparatus, 
wherein there is further provided authentication 
means for authenticating said other information 
processing apparatus on the basis of said pre- 
determined data and data obtained by decrypt- 
ing a code received from said other information 
processing apparatus, 

said receiving means receives a first code from 
said other information processing apparatus, 
said decryption means decrypts said first code 
into second data using said first key, 
said encryption means encrypts said second 
data into a second code using said second key 
and further encrypts third data into a third code 
using said second key, 

said transmission means transmits said second 
and third codes to said other information 
processing apparatus, 

said receiving means receives a fourth code 
from said other information processing appara- 
tus, 

said decryption means decrypts said fourth 
code into sixth data using said second key, and 
said authentication means authenticates said 
other information processing apparatus on the 
basis of said third data and said sixth data. 

25. An information processing apparatus according to 
claim 24, 
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wherein said second data is a predetermined 
identification number, 
said third data is a third key, 
said receiving means receives from said other 
information processing apparatus a fifth code 
such that a first command is encrypted using 
said third key and a sixth code such that said 
identification number of said other information 
processing apparatus is encrypted, 
said decryption means decrypts said fifth code 
into a second command using said third key 
and further decrypts said sixth code into sev- 
enth data using said third key, and 
said authentication means authenticates said 
second command on the basis of said seventh 
data and the value of said identification 
number. 



31. An information processing system comprising an in- 
formation processing apparatus according to any 
one of claims 15 to 23 and an information process- 
ing apparatus according to any one of claims 24 to 
30. 
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26. An information processing apparatus according to 
claim 25, further comprising: processing means for so 
performing a process corresponding to said second 
command and generating response data corre- 
sponding to the processing results, 

wherein said encryption means encrypts said ss 
response data into a seventh code using said 
third key and further encrypts said identification 
number into an eighth code using said third key, 
and 

said transmission means transmits said sev- 30 
enth code together with said eighth code. 



27. An information processing apparatus according to 
claim 26, wherein said identification number is 
changed for each encryption of said seventh code. 3S 

28. An information processing apparatus according to 
claim 27, wherein said identification number is in- 
creased for each encryption of said seventh code. 

40 

29. An information processing apparatus according to 
any one of claims 25 to 28, wherein said authenti- 
cation means authenticates said second command 
when said seventh data has a val ue within a prede- 
termined range corresponding to said identification 45 
number. 



30. An information processing apparatus according to 
any one of claims 25 to 29, wherein said authenti- 
cation means compares said seventh data with the 50 
value of said identification number only in a range 
of a predetermined number of digits and authenti- 
cates said second command when the value within 
said range of a predetermined number-of digits in 
said seventh data is equal to or greaterthan the val- 55 
ue within said range of a predetermined number of 
digits in said identification number. 



13 



EP 0 817 420 A2 




>- TO MAIN COMPUTER 



14 



EP 0817 420 A2 



LU 

£8 



1 



CM 

CD 



• 

DC 


LU 


31NI 


O 
if 








f 


CONTROL 
SECTION 




f 



CXI 



>- 
o 



ZLU 
UJ CO 



CO 



CO 



z 




o 




CO 




CO 




NSMI 


NOLL 


<o 




LLI 


1— CO 








r| 


VNN 


ION | 


UJ 


i — 


H-O 


Z UJ 


«C CO 



CO 



oo 

LU LLI 
O CO 



CD 

>o 

LU f 

oo 

LU LU 

OC CO 



15 



EP 0 817 420 A2 



FIG. 3 



TO TRANSMISSION - C0DE 



SECTION 



£ 

DATA 

RANDOMIZATION 
SECTION 



31- 



KEY STORAGE 
SECTION 



DATA 



FROM CONTROL 
SECTION 



KEY 



12 



16 



EP 0 817 420 A2 



FIG. 4 



FROM CONTROL 
SECTION 

P 



64-1 



64-2 




64-1 6-©< 



- HregisterK 

/r — 

65 /^64 
C 

TO TRANSMISSION 
SECTION 



17 



EP 0 817 420 A2 



FIG. 5 



FROM RECEIVING 
SECTION 



CODE 



42 

i 

CONVERSION 
SECTION 



41- 



DATA 



KEY STORAGE! 
SECTION 



KEY 



TO CONTROL 
SECTION 



13 



16 



EP 0 817 420 A2 



FIG. 6 



87 

\ 






86 
I 








82 

\ 






81 

\ 


ANTENNA 




TRANSMISSION 






ENCRYPTION 




CONTROL 


SECTION 






SECTION 




< — 




SECTION 








SECTION 








88 

\ 








83 














RECEIVING 






DECRYPTION 






MEMORY 








SECTION 




SECTION 





84 



19 



EP 0 817 420 A2 



FIG. 7 



C START ) 



ENCRYPT RANDOM 
NUMBER RA INTO CODE 
C1 USING KEY KB 



1 



S1 



TRANSMIT Cl 



< 



S2 



S3 



PREDETERMINED TIME 
HAS ELAPSED? 



NO 



El 



■\YES_ 



S4 



<C2 AND C3 AER RECEIVED?} 



YES 



DECRYPT C2 INTO PLAIN TEXT M2 
USING KEY KA, AND DECODE C3 
INTO PLAIN TEXT M3 USING 
KEY KA 



< RA= M2? XjfT- 
YESj 



AUTHENTICATE 
IC CARD 

T 



S7 



ENCRYPT M3 
INTO CODE C4 
USING Kb 



I 



S8 



TRANSMIT C4 



S9 



S5 



C END ) 



20 



EP 0 817 420 A2 



FIG. 8 



C START ) 



_£21 



^ Ci IS RECEIVED? ^ 



NO 



> 


,YES 


DECRYPT 


C1 


INTO PLAIN 


TEXT Ml 


USING KEY KB 



S22 



ENCRYPT M1 INTO CODE C2 
USING KEY KA, AND ENCRYPT 
RANDOM NUMBER RB INTO 
COD E C3 USING KA 

i 



S23 



TRANSMIT C2 AND C3 



S24 



< C4 IS RECEIVED? 



YES 



DECRYPT C4 INTO 
PLAIN TEXT M4 
USING KEY KB 

T 




S26 



PREDETERMINED 
TIME HAS ELAPSED?/ 



NO 



S28 

< RB= M4? y 



YES 



I 



NO 



AUTHENTICATE R/W 



S29 



YES 



C END ) 



21 



EP 0 817 420 A2 



FIG. 9 



R/W 
Ka, Kb 



Random Number 
>~ RA 



Kb 



ENCRYPTION 



(COMPARE 



[Ra]B 
[Ra]A 



Ka 



DECRYPTION 



->- RA 



KA 



Kb 



(RB]A 
I 



DECRYPTION 
1 

RB 

I 



ENCRYPTION 



[RB]B 



IC CARD 
Ka, Kb 



[RA]B 



jt IRA]B 



KB 



KA 



DECRYPTION 



T 
ra 



ENCRYPTION 



[RA}A 
I^JAbJA 



f . [RA]A 

" Random Number 
RB •< 



KA 



ENCRYPTION 



[RB]B 



[RB]A 
[RB]B 



(COMPARE) 



KB 



DECRYPTION 

1 

RB 



22 



EP 0 817 420 A2 



FIG. 10 



C START ^ 



ENCRYPT ID INTO CODE ClD 
USING KEY KID, AND ENCRYPT 
TRANSMISSION COMMAND INTO 
CODE CCOM USING KID 



I 



S41 



TRANSMIT ClD AND CCOM 



PREDETERMINED TIME 
HAS ELAPSED! 



NO 



< 



S42 



^43 



NO 



> 



YES 



ClD AND CRE 
ARE RECEIVED? 
|YES~ 



> 



DECRYPT ClD INTO PLAIN 
TEXT MID USING KID 



S47 



S48 

<IP<MiP?> Hn 
YES | 



DECRYPT CRE 


USING 


KID 




r S50 



< 



S49 



COMMUNICATIONS 
TERMINATED? 



NO 



YES 
C END ) 



S45 



SELECT THE SAME 
TRANSMISSION 
COMMAND 



S46 



INCREASE THE 
VALUE OF ID BY 1 



T 



S51 



SELECT THE NEXT 

TRANSMISSION 

COMMAND 



23 



EP 0 817 420 A2 



FIG. 11 



( START ) 



1 




* S61 


f ClD AND CCOM ARE \N0_ 





r YES 


DECRYPT CID INTO PLAIN 
TEXT Mid USING Kid 


> 


t S63 


<ID^M.D?> i37? — 



S62 



YES, 


r 


DECRYPT CCOM USING KID 



S64 



PROCESS CORRESPONDING 
TO TRANSMISSION COMMAND 



GENERATE RESPONSE DATA 
CORRESPONDING TO 
PROCESSING RESULTS 



I 



S65 



S66 



INCREASE ID OF 
IC CARD 2 BY 1 



I 



S67 



ENCRYPT ID INTO ClD USING KlD, 
AND ENCRYPT RESPONSE DATA 
INTO CRE USING KID 



S68 



TRANSMIT CID AND CRE 
TO R/W1 



S69 



( END ) 



24 



EP 0 817 420 A2 



FIG. 12 



[ 



R/W 
ka, Kb 



ra, Rb 



Command 



KB ENCRYPTION 



I 

[Command] id 



( 



IC CARD 
KA, KB 



RA, RB 



[Command] id 



[Command] id 



KID I DECRYPTION 

Y 

Command 



FIG. 13 



C 



Ka or Kb 



1 



Kdata 



Kdata 



R/W 
Ka, Kb 



Data 
__L_ 



ENCRYPTION 



[Data] data 



IC CARD 
KA, KB 



[Data] data .„ , , J . 
[Data] data 

WRITE 



1 



MEMORY 



Ka or Kb [Data] data 

1 



|READ 
.l D ^ a J_ d t ,a _ [Data] data 



DECRYPTION 



Data 



25 



EP 0 817 420 A2 



FIG. 14 



TRANSMITTING 


KEY K 

1 




PARTY 






i 




PLAIN * 


ENCRYPTION 
SECTION 


„ ENCRYPTION 


TEXT M 


'TEXT c 



101 



LINE WHICH IS NOT SAFE 
(TRANSMISSION LINE) 



RECEIVING 
PARTY 


KEY K 

i 




r 


PLAIN ^ 


DECRYPTION 


^ ENCRYPTION 


TEXT M * 


SECTION 


TEXT 


C 



26 



• 



EP 0 817 420 A2 



FIG. 15 



111 

i 

AUTHENTICATING 
PARTY 

RANDOM 
NUMBER M 

4 



KEY K- 



C«*- 

i_ 



DECRYPTION 
SECTION 



(^ATCHED^>— >M1 



M 



LINE WHICH 
IS NOT 
SAFE 



112 

■ i_ 

PARTY TO BE 
AUTHENTICATED 



ENCRYPTION 
SECTION 



T 

c 



-KEY K 



27 



